Hacker News new | past | comments | ask | show | jobs | submit login

This is a bigger issue than 'credit agencies have poor security'. This is an issue of 'standard authentication in the US is negligently weak'.

Knowledge of a SSN and other public information should never be enough to authenticate any person. That means no credit issued based on that, no tax returns filed or viewed based on that, no checks sent based on that.

The solution is not better security with credit companies. The solution is some form of actual authentication. Preferably done by an organization dedicated to that (public would be best, private could work); not outsourced to organizations that are mostly geared towards determining credit worthiness.

For the public system, assign to every participant a true unique identifier, rather than the SSN which explicitly states should not be used as such.

For those citizens that do not want to register in this way, allow for physical authentication at physical locations.

In Europe this is far less of an issue since our population registration is a lot more comprehensive.




To this point: does “identity theft” really exist, or is this simply a reframing of banks, etc., completely failing at authentication?


Identity theft is an amazing PR term, not-so-subtly shifting blame onto the individual whose identity was fraudulently used.

* The PII wasn't stolen from me, it was negligently exposed by services I contract with (and pay!) and others that I have no formal relationship with (like Equifax).

* It wasn't defrauding me, it was defrauding services I contract with (and others) who failed to verify my identity.

And yet somehow I'm obligated to do the cleanup myself.


Yup. The quickest way to stop these sorts of things from happening is to make the banks responsible for accepting/using stolen information(ie facilitating identify theft). For some odd reason, its the person's responsibility now that the bank used fraudulent information.


The concept of "identity theft" (i.e. the hacker stole your identity vs. the hacker used false credentials to steal from the bank) is probably the single greatest feat of social engineering of our times.


Point. Identity hacking would be more accurate.

In that the attacker is creatively operating the system, rather than really possessing magic knowledge.


Today, you are not you, you are your data, a persona. And you are somehow responsible for it or anything that casts a similar shadow.


In the US especially, there is a very good reason to oppose any such measure - there is no political will to implement restrictions on how private companies could use that system.

The setup for these breaches is entirely due to companies being able to require your SSN for whatever purpose, and indefinitely store it basically however they'd like. Either the government should have never assigned a mandatory unique identifier to every individual, or there should have been strict laws about what purposes it could be requested/used for, how it could be stored, and steep statutory liability for screwing those up.

But the political attitude in the US is to have the government do the bare minimum and private companies will take up the charge. However for many subjects the resulting mix is the worst of both worlds - given the tiniest hook into governmental power, the private sector eagerly implements totalitarian solutions for which there is no opting out.

Presently, the naive legal mandates of SSN's, driver's license numbers, and license plates are being heavily abused to enable pervasive corporate surveillance. These existing identifiers already make too good of keys for cross-linking every other ill-gotten datum on a person. The main thing that keeps every single business from demanding these identifiers is people's ambiguous worry of just handing them out, due to their technical shortcomings. Imagine going to a grocery store and having to present your national electronic ID to get the sale prices, with no alternative.

previously: https://news.ycombinator.com/item?id=19880374


I agree, SSN's are a poor form of authentication. What's missing from these conversations is realistic approaches to fixing it. It's a lot like healthcare: plenty of people want to get rid of Obamacare, but they fail to explain what will replace it.

> For the public system, assign to every participant a true unique identifier, rather than the SSN which explicitly states should not be used as such.

This will work for a time, but what happens when the next breach occurs? How do people renew their UUID's? Expire compromised ones?

> For those citizens that do not want to register in this way, allow for physical authentication at physical locations.

Physical authentication probably means fingerprints, face data, correct? These are already compromised. Worse yet, they cannot be changed.

CCTV cameras are everywhere, and getting better resolution each day. Face authentication can be easily duplicated - some of the early versions of FaceID (by Apple) were broken by 3-D printing a mask [2]. Furthermore, some organizations are already compiling a list of "face data" that can be used to fool sensors and other biometric tools. By the time "face readers" are widespread, hackers will already have large pools of face data to use to hack into these systems.

There are other cases where fingerprints have been printed using a 3-D printer and have broken security of mobile smartphones [1]. What's to say whatever government issued terminal won't be broken in a similar way? Furthermore, it's not easy to expect people to guard their fingerprints: every glass they drink at a restaurant will have their fingerprints. I don't expect to shed my SSN whenever I order a pint at my favorite pub.

[1]: https://www.theverge.com/2019/4/7/18299366/samsung-galaxy-s1...

[2]: https://www.wired.co.uk/article/hackers-trick-apple-iphone-x...


> I agree, SSN's are a poor form of authentication. What's missing from these conversations is realistic approaches to fixing it.

SSNs are a poor form of authentication because they're ostensibly secret but re-used everywhere. It's just like a password in that regard: no password is secure against reuse, no matter how strong it is on paper.

A minimal change would be to allow/encourage single-use SSN-equivalents, generated on demand by a central authority. That is, someone would give a different "SSN" to their employer, their bank, the IRS, and their cable company (for credit check).

That still provides a point of vulnerability, but that is far better than the current system where a single credit application form is a global compromise. If a single-use number is compromised, it could be easily revoked without affecting the person otherwise. Likewise, numbers could easily be generated with short expiry dates to make use from stored credentials impossible.


> This will work for a time, but what happens when the next breach occurs?

The UUID shouldn't be assumed to be private information - authentication should be built around the assumption that this identifier is a public identifier - like a name, but guaranteed to be unique.

> Physical authentication probably means fingerprints, face data, correct? These are already compromised. Worse yet, they cannot be changed.

Even if those are compromised, that doesn't mean it has to be easy to impersonate you. The solution may be low-tech - you may have to physically present yourself to a human who assesses if you are indeed who you say you are before opening an account. The higher tech solution physical authentication might require something akin to chip-and-pin or a (revocable) token generator a la Ubikey


Careful what you wish for with the low-tech solution. One of the most effective vectors for phone number port-out scams is just showing up to a local cell phone shop and presenting a fake id. Often this is completely free for the attacker since they can just opt to have a new phone added to the account on credit too.


The assessment doesn't need to be based on a potentially counterfeit ID the subject brings, in my hypothetical scheme. It's probably be better to do out-of-band verification with the private/public provider of the ID (State or DMV, for example)

edit: if the value of identity were to be elevated, then the physical security at these locations would be increased to the level of banks or cash-handling facilities to increase the cost of failed attempts at impersonation (to the level similar to attempted cash heists). Infact, the local phone shops should be barred/disincentivized from doing auth badly themselves and should outsource this function, just like they do with creditworthiness.


> The UUID shouldn't be assumed to be private information - authentication should be built around the assumption that this identifier is a public identifier - like a name, but guaranteed to be unique.

In that case, we already have this today: At the state level, most citizens have a Drivers license or State ID, both of which have a unique ID. At the federal level, all US passports have a unique Passport Number. Granted, not all citizens have a passport, but that system is in place to grant citizens unique identifiers.

And yet we still have identity issues. So this is part of the solution.

> Even if those are compromised, that doesn't mean it has to be easy to impersonate you. The solution may be low-tech - you may have to physically present yourself to a human who assesses if you are indeed who you say you are before opening an account. The higher tech solution physical authentication might require something akin to chip-and-pin or a (revocable) token generator a la Ubikey

This is a great idea. I believe France's healthcare system requires every citizen to have a card [1], which uses a chip and pin tech to authenticate the person with their doctor. This could be used for online services or over the phone too.

What the US needs is a branch specifically for administring these "identity cards". The Social Security Administration could be rebranded to an "Identity Administration" or something, then they will manage the distribution and revocation / recycling of these national ID cards.

But for some reason Americans get spooked when you say the words "National ID". Something about how "socialism is bad" and all that.

[1]: https://en.wikipedia.org/wiki/Carte_Vitale


The Real ID Act [0] effectively made all state ID's into national ID's. All but 6 states are already compliant, and the last 6 will likely become compliant by next year, lest their citizens become unable to use domestic air travel without a passport.

[0] https://en.wikipedia.org/wiki/Real_ID_Act


> What's missing from these conversations is realistic approaches to fixing it.

Do you really want to mandate that?

Valuing someone's personal information at $100,000 per person and then fining the snot out of companies that lose it seems like a much more "market driven" solution.

It also means that companies will work really hard to minimize any personal information at all--which is really what you want in the first place.


> I agree, SSN's are a poor form of authentication. What's missing from these conversations is realistic approaches to fixing it.

> This will work for a time, but what happens when the next breach occurs? How do people renew their UUID's? Expire compromised ones?

The unique identifier would be an identifier only, not something for authentication. But before you can authenticate any identity, you need a way to identify that identity. Hence I consider that a base-requirement. Then we need to build a system of authentication points around this identifier. Heck, if SSNs were unique just re-purposing those for the ID would work just fine.

> Physical authentication probably means fingerprints, face data, correct? These are already compromised. Worse yet, they cannot be changed.

No, I mean going to a physical desk and authenticating however you already can do this. This would be something like a valid government-issued ID and a birth certificate. Essentially, whatever is needed to get a passport, have the same system here. Because that is essentially your weakest link already. I added this option to appease the American fear of government tracking.

As for a proposal to fixing it, I would point to two systems.

* The Estonian system, where every citizen is given an ID-card that is also a smart-card with a public key. * The Dutch system, which I am most familiar with.

Let me expand on how the dutch system (called DigID) works. Though I should note the system has flaws, and there are valid criticisms. However, it hasn't had any big failures. The system works as follows:

Anyone can apply for an account, at which point the government will mail you instructions for setting up a simple username-password based authentication. Key behind this system is the 'Basis register of persons'. It is a national database (maintained by the municipalities) of all legal inhabitants and some info about them. Most importantly for this system, an address. This is what makes it possible for the government to send mail to a citizen.

To my mind, the above system of mail could/should be replaced by a visit to the municipal administration, where your ID-card is verified. (Notably, everyone over the age of 14 needs a valid government-issued ID)

Obviously, implementing something like this in the US would be hard. Mostly because mandated ID-cards and a government database of addresses would not be politically acceptable. I don't know the details of the Estonian system, maybe that would require less invasive tracking of citizens

I'm guessing most European countries have similar systems of government-based authentication.

Really though, these systems start with knowing who your citizens are and being able to identify them. And should this not be a basic requirement of a government?


The Belgians have this tool called "itsme" which acts as authentication manager/digital signature tool with authorized partners.

After validating your ID, you can use the app to do 2FA with most major services in the country, including almost every bank and financial institution.

https://www.itsme.be/en/

A program like this could go a long way in the US to help cut down on the issue you describe.


Thanks. Another example is the Dutch DigID: https://www.digid.nl/en/about-digid/


You should look into Estonian ID card program. Its exactly what should be done.


I really wish the mainstream media could pick up more on this, and instead of framing all these breaches and news as Identity Theft, reframe them to the credit companies offloading burden of risk onto consumers. Most people don't even have the context of what is really going on with this. we all should really assume that our SSN & PII is splattered across hundreds if not thousands of databases all in a various state of protection, and not be held liable for the lazy credit companies who's business is based on not making it hard to get instant credit for all those emotional purchases...


> For the public system, assign to every participant a true unique identifier, rather than the SSN which explicitly states should not be used as such.

How do you make this proposed new unique identifier more secure than the (admittedly very unsecure) SSNs?


Only use it as an identifier, not as a part of authentication. The issues with using an SSN as a identifier (username) are:

1) Explicitly not meant as an identifier

2) Not unique

If not for 2, then the SSN could simply be repurposed to be this identifier.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: